ESB-2018.1036 - [Win][UNIX/Linux] CA API Developer Portal: Cross-site scripting - Remote with user interaction 2018-04-05

Printable version
PGP/GPG verifiable version

Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

        CA20180328-01: Security Notice for CA API Developer Portal
                               5 April 2018


        AusCERT Security Bulletin Summary

Product:           CA API Developer Portal
Publisher:         CA Technologies
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Cross-site Scripting -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-6588 CVE-2018-6587 CVE-2018-6586

Original Bulletin:

- --------------------------BEGIN INCLUDED TEXT--------------------

CA20180328-01: Security Notice for CA API Developer Portal

Issued: March 28, 2018
Last Updated: March 28, 2018

CA Technologies Support is alerting customers to multiple potential risks with
CA API Developer Portal. Multiple vulnerabilities exist that can allow a
remote attacker to conduct cross-site scripting attacks.

The first vulnerability, CVE-2018-6586, has a medium risk rating and concerns
profile picture management which can allow a remote attacker to conduct stored
cross-site scripting attacks (CWE-79).

The second vulnerability, CVE-2018-6587, has a medium risk rating and concerns
the widgetID variable, which can allow a remote attacker to conduct reflected
cross-site scripting attacks (CWE-79).

The third vulnerability, CVE-2018-6588, has a medium risk rating and concerns
how the apiExplorer handles requests, which can allow a remote attacker to
conduct reflected cross-site scripting attacks (CWE-79).

Risk Rating

|CVE Identifier            |Risk Rating      |
|CVE-2018-6586             |Medium           |
|CVE-2018-6587             |Medium           |
|CVE-2018-6588             |Medium           |


All supported platforms

Affected Products

|CVE Identifier                             |Affected Product and Releases                |
|CVE-2018-6586                              |CA API Developer Portal 3.5 GA through and   |
|                                           |including CR6                                |
|CVE-2018-6587                              |CA API Developer Portal 3.5 GA through and   |
|                                           |including CR6                                |
|CVE-2018-6588                              |CA API Developer Portal 3.5 GA through and   |
|                                           |including CR5                                |

*CA API Developer Portal was formerly called CA Layer 7 API Portal

Unaffected Products

CA API Developer Portal 4 and newer releases

How to determine if the installation is affected

Customers may use the CA API Developer Portal web interface to find the
product version and then use the table in the Affected Products section to
determine if the installation is vulnerable.


CA Technologies published the following solution to address the

CA API Developer Portal 3.5:

Update to CA API Developer Portal 3.5 CR7 to address all vulnerabilities in
this security notice.

CA API Management Solutions & Patches


CVE-2018-6586 - CA API Developer Portal profile picture stored XSS
CVE-2018-6587 - CA API Developer Portal widgetID reflected XSS
CVE-2018-6588 - CA API Developer Portal apiExplorer reflected XSS


CVE-2018-6586, CVE-2018-6587, CVE-2018-6588 - Alphan Yavas from Biznet Bilisim

Change History

Version 1.0: 2018-03-28 - Initial Release

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.


« Back to bulletins